{
	"id": "eb35f176-78e1-44b7-9eff-bff38e20b638",
	"created_at": "2026-04-06T00:14:07.488762Z",
	"updated_at": "2026-04-10T03:30:11.980386Z",
	"deleted_at": null,
	"sha1_hash": "21d43b444b2e9539656436d97e5e4e6cc60328f2",
	"title": "GobRAT malware written in Go language targeting Linux routers - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2523621,
	"plain_text": "GobRAT malware written in Go language targeting Linux routers\r\n- JPCERT/CC Eyes\r\nBy 増渕 維摩(Yuma Masubuchi)\r\nPublished: 2023-05-28 · Archived: 2026-04-05 16:11:08 UTC\r\nTool\r\nJPCERT/CC has confirmed attacks that infected routers in Japan with malware around February 2023. This blog\r\narticle explains the details of the attack confirmed by JPCERT/CC and GobRAT malware, which was used in the\r\nattack.\r\nAttack flow up to malware execution\r\nInitially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using\r\nvulnerabilities, and finally infects the GobRAT. Figure 1 shows the flow of the attack until GobRAT infects the\r\nrouter.\r\nFigure 1: Attack Flow\r\nLoader Script works as a loader, containing functions such as generating various scripts and downloading\r\nGobRAT. The SSH public key, which is assumed to be used for the backdoor, is hard-coded in the script. In\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 1 of 10\n\naddition, since Loader Script uses crontab to register the file path of Start Script for persistence, GobRAT does\r\nnot have such function. The functions of Loader Script are as follows:\r\nDisable Firewall function\r\nDownload GobRAT for the target machine's architecture\r\nCreate Start Script and make it persistent\r\nCreate and run Daemon Script.\r\nRegister a SSH public key in /root/.ssh/authorized_keys\r\nFigure 2 is the code of Start Script that executes GobRAT. The script is unique in that it writes the startup time to\r\na file named restart.log. In addition, this script executes GobRAT under the file name apached to make it look\r\nlike a legitimate process.\r\nFigure 2: Start Script\r\nFigure 3 is the code of Daemon Script. This script checks whether Start Script is running or not every 20\r\nseconds, and if not, it starts the script. This code has been possibly prepared in case Start Script is terminated\r\nunexpectedly.\r\nFigure 3: Daemon Script\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 2 of 10\n\nGobRAT Overview\r\nGobRAT is a RAT written in Go language and communicates with C2 server via TLS and executes various\r\ncommands. It is packed with UPX version 4 series, and samples for various architectures such as ARM, MIPS,\r\nx86, and x86-64 have been confirmed. GobRAT performs the following checks at startup and keeps the\r\ninformation within the sample itself.\r\nIP address and MAC address of itself\r\nUptime by uptime command\r\nNetwork communication status by /proc/net/dev\r\nThe following sections describes the GobRAT’s communication method, encryption method, and commands to be\r\nexecuted.\r\nCommunication method\r\nGobRAT uses TLS to send and receive data with its C2 server. Figure 4 shows an example of communication with\r\nthe C2 server. The first 4 bytes indicate the size of the data, and the rest is gob[1] data. gob is a data serialization\r\nprotocol available only in Go language. GobRAT uses gob for receiving commands and sending the results of\r\ncommand execution.\r\nFigure 4: Example of communication content\r\nGobRAT defines gob data as a PACKAGE structure in the sample as follows.\r\ntype PACKAGE struct {\r\n Type uint8 // CommandID\r\n BotCount uint16 // Parameter\r\n BotList []string // Command Parameter\r\n ParamLength uint16 // Length of Param\r\n Param map[string]string // Command Parameter\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 3 of 10\n\nContent []uint8 // Command Parameter, Command Execution Result, etc\r\n}\r\nThe fields used are different depending on the type of command, and string arrays, maps, and binary data are\r\nsupported so that various types of parameters can be passed. In addition, while binary data can be stored in\r\nContent of the PACKAGE structure, map data with string is converted to binary data by encoding it with the\r\njson.Marshal function. The PACKAGE structure is used in various ways depending on the command, such as\r\nstoring the data in Content, or converting the defined structure to binary data in the same way and storing it in\r\nContent.\r\nEncryption Method\r\nStrings such as C2 and Linux commands are encrypted and stored in the sample. Figure 5 shows the GobRAT's\r\ndecryption function. AES128 CTR mode is used to decrypt strings, and the key and IV are hard-coded in the\r\nsample. The same key (050CFE3706380723433807193E03FE2F) and IV (\"12345678abcdefgh\") are used in all\r\nthe confirmed samples. In addition, as shown in Figure 6, the codes that have probably been developed by the\r\nattacker, such as this decryption function, has a unique folder structure like aaa.com/bbb/me~.\r\nFigure 5: String decryption function\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 4 of 10\n\nFigure 6: Characteristic folder structure\r\nCommands executed\r\nGobRAT has 22 commands that are executed by the commands from the C2 server, and we have identified the\r\nfollowing commands. Since the malware targets routers, you can see that most functions are related to\r\ncommunication, such as frpc, socks5, and reconfiguration of C2. See Appendix A for command details.\r\nObtain machine Information\r\nExecute reverse shell\r\nRead/write files\r\nConfigure new C2 and protocol\r\nStart socks5\r\nExecute file in /zone/frpc\r\nAttempt to login to sshd, Telnet, Redis, MySQL, PostgreSQL services running on another machine\r\nGobRAT Analysis Tools\r\nSince GobRAT uses gob for communication, if you want to emulate its communication with C2 to check\r\ncommands, you need to create a program using Go language. Our C2 emulation tool that supports GobRAT\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 5 of 10\n\nanalysis is available on GitHub. Please download it from the following webpage for your analysis.\r\nJPCERTCC/aa-tools/GobRAT-Analysis - GitHub\r\nhttps://github.com/JPCERTCC/aa-tools/tree/master/GobRAT-Analysis\r\nIn Closing\r\nIn recent years, different types of malware using Go language have been confirmed, and the GobRAT malware\r\nconfirmed this time uses gob, which can only be handled by Go language, for communication. Please\r\ncontinuously beware of malware that infects routers, not limited to GobRAT, since they are difficult to detect.\r\nPlease refer to Appendix B for C2 of the malware, Appendix C for the hash value of the script, and Appendix D\r\nfor the hash value of the malware.\r\nYuma Masubuchi\r\nTranslated by Takumi Nakano\r\nAppendix A: Commands\r\nTableA: GobRAT commands\r\nValue Contents\r\n0x0 Update json data held in malware and acquire update results\r\n0x1 Retrieve json data held in malware\r\n0x3 Start reverse shell\r\n0x4 End of reverse shell connection\r\n0x6 Confirmation of reverse shell connection\r\n0x7 Execute shell command for daemon\r\n0x8 Execute shell command\r\n0xD Read/write specified file\r\n0x10,0x11 Read/write specified file\r\n0x16 Obtain various machine information such as df command\r\n0x17 Set new communication channel for TCP\r\n0x18 Execute SOCKS5 proxy with specified port and password\r\n0x19 Execute SOCKS5 proxy on specified port\r\n0x1a New communication channel setting for UDP\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 6 of 10\n\nValue Contents\r\n0x1b Execute frpc after executing SOCKS5 proxy on port 5555\r\n0x1f Check for the existence of the specified file\r\n0x25 Login attempts for SSH, telenet, redis, mysql, postgres\r\n0x27 Configuration of specified goroutine\r\n0x2a Scan to HTTP/HTTPS service of specified IP\r\n0x2D Dictionary attack to HTTP/HTTPS service of specified IP\r\n0x30 C2 configuration related\r\n0x31 DDoS attacks on SYN, TCP, UDP, HTTP, ICMP\r\nAppendix B: C2\r\nhttps://su.vealcat.com\r\nhttp://su.vealcat.com:58888\r\nhttps://ktlvz.dnsfailover.net\r\nhttp://ktlvz.dnsfailover.net:58888\r\nsu.vealcat.com\r\nktlvz.dnsfailover.net\r\nwpksi.mefound.com\r\nAppendix C: Hash values of the scripts\r\n060acb2a5df6560acab9989d6f019fb311d88d5511f3eda0effcbd9fc6bd12bb\r\nfeaef47defd8b4988e09c8b11967e20211b54e16e6df488780e2490d7c7fa02a\r\n3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1\r\n60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3\r\nAppendix D: Hash values of the malware\r\na8b914df166fd0c94106f004e8ca0ca80a36c6f2623f87a4e9afe7d86b5b2e3a\r\naeed77896de38802b85a19bfcb8f2a1d567538ddc1b045bcdb29cb9e05919b60\r\n6748c22d76b8803e2deb3dad1e1fa7a8d8ff1e968eb340311fd82ea5d7277019\r\ne133e05d6941ef1c2e3281f1abb837c3e152fdeaffefde84ffe25338fe02c56d\r\n43dc911a2e396791dc5a0f8996ae77ac527add02118adf66ac5c56291269527e\r\naf0292e4de92032ede613dc69373de7f5a182d9cbba1ed49f589ef484ad1ee3e\r\n2c1566a2e03c63b67fbdd80b4a67535e9ed969ea3e3013f0ba503cfa58e287e3\r\n98c05ae70e69e3585fc026e67b356421f0b3d6ab45b45e8cc5eb35f16fef130c\r\n300a92a67940cfafeed1cf1c0af25f4869598ae58e615ecc559434111ab717cd\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 7 of 10\n\na363dea1efda1991d6c10cc637e3ab7d8e4af4bd2d3938036f03633a2cb20e88\r\n0c280f0b7c16c0d299e306d2c97b0bff3015352d2b3299cf485de189782a4e25\r\nf962b594a847f47473488a2b860094da45190738f2825d82afc308b2a250b5fb\r\n4ceb27da700807be6aa3221022ef59ce6e9f1cda52838ae716746c1bbdee7c3d\r\n3e1a03f1dd10c3e050b5f455f37e946c214762ed9516996418d34a246daed521\r\n3bee59d74c24ef33351dc31ba697b99d41c8898685d143cd48bccdff707547c0\r\nc71ff7514c8b7c448a8c1982308aaffed94f435a65c9fdc8f0249a13095f665e\r\nReferences\r\n[1] Gobs of data\r\nhttps://go.dev/blog/gob\r\n増渕 維摩(Yuma Masubuchi)\r\nYuma has been engaged in malware analysis in JPCERT/CC Cyber Security Coordination Group since 2020.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 8 of 10\n\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 9 of 10\n\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nhttps://blogs.jpcert.or.jp/en/2023/05/gobrat.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2023/05/gobrat.html"
	],
	"report_names": [
		"gobrat.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434447,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21d43b444b2e9539656436d97e5e4e6cc60328f2.pdf",
		"text": "https://archive.orkl.eu/21d43b444b2e9539656436d97e5e4e6cc60328f2.txt",
		"img": "https://archive.orkl.eu/21d43b444b2e9539656436d97e5e4e6cc60328f2.jpg"
	}
}